CVE-2017-9979

Sažetak

On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.

Reference

http://packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.html
http://seclists.org/fulldisclosure/2017/Aug/23
http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt
https://www.exploit-db.com/exploits/42517/

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

08-09-2017 - 02:28

Objavljeno

28-08-2017 - 19:29